Security Risk: Dangerous
Exploitation Level: Moderately Difficult/Remote
DREAD Score: 6.8/10
Vulnerability: Arbitrary File Deletion
Patched Version: 4.9.7
The WordPress team has just released a critical security and maintenance update to resolve a number of bugs and security issues.
Included in this release is a patch that protects against a vulnerability allowing bad actors to delete files from your site. If certain circumstances are met, this vulnerability may be enough for an attacker to completely take control of your website.
Are You at Risk?
If you don’t have automatic updates enabled or are using WordPress version 4.9.6 or earlier, your site may be vulnerable to this security issue originally reported by Slavco.
Technical Details
As mentioned in the original full disclosure article, the media editor page relies on user input to specify what file to delete when removing an attachment from the site. This may allow bad actors to delete files outside of the uploads directory and potentially take control of your website.
Due to the nature of this editor, this bug can only be exploited by users with file upload privileges Author or higher.
In order to take over a site using this vulnerability, an attacker needs to remove important files from the site’s directory, such as wp-config.php. This would force WordPress to run its installation scripts again, but using the attacker’s information instead.
Update As Soon As Possible
If you are using a vulnerable version of WordPress (4.9.6 or earlier), we encourage you to update your CMS as soon as possible.
In the event that you are unable to update to the latest version, we strongly recommend that you employ the Sucuri Firewall or an equivalent technology to virtually patch the vulnerability.